This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike_Jensen
Advisor
‎2019-04-22 07:51 AM

NTP R80.10 2200 appliances will not sync

Has anyone else encountered this issue?

 

I have several 2200 appliances running R80.10 with Jumbo Hotfix Accumulator 189 and I cannot get them to sync with any NTP server.  I have tried us.pool.ntp.org, pool.ntp.org, individual public NTP servers by IP.

I have a firewall policy rule allowing these security gateways to any destination for service "NTP" and any to these security gateways for service "NTP".

 

DNS resolves domain names fine on these gateways.

 

I have tried stopping and starting the NTP service.  cpstop/cpstart and even a reload.  

tcpdump -i eth1 dst port 123  shows packets to and from the chosen NTP server but I can't get a synchronization to happen:

 

tcpdump -i eth1 dst port 123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
10:41:31.052665 IP 96-80-255-145-static.hfc.comcastbusiness.net.ntp > quirk.faceprint.com.ntp: NTPv1, Client, length 48
10:41:31.090541 IP quirk.faceprint.com.ntp > 96-80-255-145-static.hfc.comcastbusiness.net.ntp: NTPv1, Server, length 48
10:42:36.051960 IP 96-80-255-145-static.hfc.comcastbusiness.net.ntp > quirk.faceprint.com.ntp: NTPv1, Client, length 48
10:42:36.096849 IP quirk.faceprint.com.ntp > 96-80-255-145-static.hfc.comcastbusiness.net.ntp: NTPv1, Server, length 48
10:43:40.052196 IP 96-80-255-145-static.hfc.comcastbusiness.net.ntp > quirk.faceprint.com.ntp: NTPv1, Client, length 48
10:43:40.092700 IP quirk.faceprint.com.ntp > 96-80-255-145-static.hfc.comcastbusiness.net.ntp: NTPv1, Server, length 48
10:44:46.051565 IP 96-80-255-145-static.hfc.comcastbusiness.net.ntp > quirk.faceprint.com.ntp: NTPv1, Client, length 48

 

 

ntpq peers shows the following:

[Expert@shelby-gw:0]# ntpq
ntpq> peers
remote refid st t when poll reach delay offset jitter
==============================================================================
quirk.faceprint .INIT. 16 u - 256 0 0.000 0.000 0.000
ntpq>

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2019-04-22 08:43 AM

Unless your system clock is already relatively close to what the NTP server says, NTP will not sync.
This is because ntpd "skews" the clock to keep it in sync, but won't do it when there is a significant difference (several minutes).
You can force this by executing the command ntpdate us.pool.ntp.org
This will force the clock to be set to what the NTP server says it should be.
Then ntpd should be able to get into sync.
0 Kudos
Mike_Jensen
Advisor
‎2019-04-22 08:49 AM
In response to PhoneBoy

Hi PhoneBoy,

 

The clocks and dates on these devices are set manually to the correct time before I try to sync with NTP.

I receive the below message when I try ntpdate us.pool.ntp.org , and the security gateway doesn't sync.

 


[Expert@shelby-gw:0]# ntpdate us.pool.ntp.org
22 Apr 11:48:20 ntpdate[10306]: the NTP socket is in use, exiting
[Expert@shelby-gw:0]#

0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-22 08:55 AM
In response to Mike_Jensen

Disable ntpd first, then try to use the command.
0 Kudos
Mike_Jensen
Advisor
‎2019-04-22 01:53 PM
In response to PhoneBoy

Disabling NTP first, then running the command, and re enabling NTP has made NTP start working on most of my 2200's, but there are a handful that still won't sync once NTP is enabled.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-22 01:54 PM
In response to PhoneBoy

Make sure that you add version 3 or version 4 behind the ntp server commands. Then in expert type ntpq and on the next prompt enter peers, you should see something like this:
ntpq> peers
remote refid st t when poll reach delay offset jitter
==============================================================================
10.10.10.10 10.94.76.68 2 u 30 64 1 5.792 0.009 0.001
10.10.20.20 .GPS. 1 u 25 64 1 3.926 0.004 0.001
If you don't also check the rulebase if it allows for NTP from the gateway to the internet.
Regards, Maarten
0 Kudos
Mike_Jensen
Advisor
‎2019-05-09 08:06 AM
In response to Maarten_Sjouw

Hello,

 

Most of my 2200's running R80.10 are now synced with NTP after following the suggestions above, however there are still a couple that will not sync no matter what I do.  

Does anyone have any other ideas?

0 Kudos
Jerry
Mentor
Mentor
‎2019-05-09 08:10 AM
In response to Mike_Jensen

and what you've got as an output when you put:

 

ntpq -p

 

please paste 😉

Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2019-05-09 08:13 AM

also if you could paste here cpinfo -y all ... that would help.

I have experienced the very same but on 3200 appliance last month on R80.10 take 15x but fixed that with new DA 🙂

Still believe it was coincidental though 

Jerry
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events